"Pier Carlo Chiodi - Active Network S.p.A." <pc.chiodi@activenetwork.it> writes:

Some connections (not all) to https://atlas.ripe.net fail because of what seems to be an invalid certs chain. It looks like that an intermediate cert is missing.

I see the same problem. Extra data point: The requests appear to be served by one or more Apache instances and one or more nginx instances. The chain is complete and validation suceccessful for Apache. The chain is incomplete and validation fails for nginx. Apache: bjorn@miraculix:/tmp$ openssl s_client -connect 193.0.6.158:443 -servername atlas.ripe.net CONNECTED(00000003) depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA verify return:1 depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA verify return:1 depth=0 C = NL, ST = Noord-Holland, L = Amsterdam, O = RIPE NCC, CN = atlas.ripe.net verify return:1 Server did acknowledge servername extension. --- Certificate chain 0 s:/C=NL/ST=Noord-Holland/L=Amsterdam/O=RIPE NCC/CN=atlas.ripe.net i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA 1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA --- .. --- SSL handshake has read 4752 bytes and written 773 bytes Verification: OK --- .. --- HEAD / HTTP/1.0 HTTP/1.1 400 Bad Request Date: Thu, 02 Mar 2017 08:47:32 GMT Server: Apache Strict-Transport-Security: max-age=15768000 Connection: close Content-Type: text/html; charset=iso-8859-1 closed nginx: bjorn@miraculix:/tmp$ openssl s_client -connect 193.0.6.158:443 -servername atlas.ripe.net CONNECTED(00000003) depth=0 C = NL, ST = Noord-Holland, L = Amsterdam, O = RIPE NCC, CN = atlas.ripe.net verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 C = NL, ST = Noord-Holland, L = Amsterdam, O = RIPE NCC, CN = atlas.ripe.net verify error:num=21:unable to verify the first certificate verify return:1 Server did acknowledge servername extension. --- Certificate chain 0 s:/C=NL/ST=Noord-Holland/L=Amsterdam/O=RIPE NCC/CN=atlas.ripe.net i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA --- .. --- SSL handshake has read 2578 bytes and written 325 bytes Verification error: unable to verify the first certificate --- .. --- HEAD / HTTP/1.0 HTTP/1.1 403 Forbidden Server: nginx/1.10.2 Date: Thu, 02 Mar 2017 08:47:40 GMT Content-Type: text/html Content-Length: 169 Connection: close Strict-Transport-Security: max-age=15768000; includeSubDomains closed Bjørn